← Controls / SA

SA-03 Life Cycle Support

System and Services Acquisition

Low Moderate High Privacy

Description

The organization manages the information system using a system development life cycle methodology that includes information security considerations.

Supplemental Guidance

NIST Special Publication 800-64 provides guidance on security considerations in the system development life cycle.

Changes from Rev 4

Control text adds privacy Discussion is expanded to include benefits of effective integration of security and privacy requirements into enterprise architecture

Enhancements

(0) None.

MITRE ATT&CK Techniques (6)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 4 Persistence 5 Privilege Escalation 5 Defense Evasion 5 Collection 1

Compliance Mappings

ISO 27001:2022

7.1A.5.8A.8.25

ISO 27002:2022

5.88.25

COBIT 2019

BAI01BAI03BAI11EDM04

CIS Controls v8

CIS 16CIS 16.1

NIST CSF 2.0

GV.SC-09ID.AM-08PR.PS-06

SOC 2 TSC

CC5.2CC8.1CC8.1-POF1

PCI DSS v4.0.1

6.16.2

CSA CCM v4

AIS-04AIS-06IVS-07

CSA AICM v1

AIS-04AIS-06AIS-11AIS-15I&S-07MDS-02MDS-04MDS-10MDS-11

ISO 42001:2023

A.6.1.2A.6.1.3

NIS2 Directive

Art. 21(2)(e)

MAS TRM

56

ANSSI

Hygiene.34Hygiene.36SecNumCloud.15.1

FINMA Circular 2023/1

IV.A(28)IV.A(36)IV.A(37)

OSFI B-13

B-13.2.1B-13.2.2

EU GDPR

Art.25(1)Art.28(1)

EU DORA

Art.7(1)Art.8(5)

BIO2

5.88.25

RBI CSF

Annex1.6ITGRCA.12

FISC Security Guidelines

FISC.O10FISC.T1FISC.T6

HKMA TM-E-1

TME1.3.1TME1.3.2

MLPS 2.0

8.1.9.48.1.9.5

DNB Good Practice

DNB.19.3

EU CRA

CRA.I.1

SAMA CSF

1.43.2

NCA ECC

1-6

UAE IA

T10

CBB TM

TM-7

Qatar NIA

SD

CBUAE

CR-6

CBE CSF

CTO-4

SA JS2

JS2-SA

BoG CISD

CISD-IXCISD-SDLC

BoM CTRM

1.33.113.7

IOSCO Cyber Resilience

PROT-6

BCBS 239

Principle 2Principle 6

FFIEC IS

I.CII.C.17II.C.2

NYDFS 500

500.8

EBA ICT Guidelines

3.5(a)3.5(b)3.6.13.6.2

SEBI CSCRF

PR.ASPR.IP

BOT Cyber Resilience

Ch2.5Ch6.2

IEEE 1686-2022

5.10

PCI PTS v6

H

FIPS 140-3

FIPS 140-3 §7.11

Common Criteria

CC Part 3 — SAR

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.11

Lloyd's Minimum Standards

BP2.1MS1.1

NAIC Insurance Data Security

4-config

PRA SS1/23

P3.1P5.5

FCA SYSC 13

SYSC 13.7.1SYSC 13.8.4

HITRUST CSF v11

09.b10.a10.d

FDA 21 CFR Part 11

§11.10(a)

FDA Cybersecurity Guidance

SPDF-1

ISO 27799

14.114.2

MiCA

Art.62(5)

Basel SCO60

SCO60.52

ISO 17799 (legacy)

None.

COBIT 4.1 (legacy)

PO8.3AI2.7